Nick Kartsioukas <lists.freerad...@change.nightwind.net> wrote: > > Okay...let's say I have an SSID for students and an SSID for staff. > Students authenticate against LDAP, which stores passwords as salted > SHA1 hashes. Staff authenticate against Windows ActiveDirectory. > I've found where the WLC sends the SSID to FreeRADIUS, so I can get at > that. My question is, how do I set up the EAP-TTLS/PAP session for the > Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? > Are these configured as different virtual servers? Or just different > modules that I call from the users file like so: > DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" > DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff" > Just duplicate what you see in eap.conf to look something like: ---- eap EAP_student { # set this to peap for staff default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no max_sessions = 4096
tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = ${local.cert.password} private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "AES:HIGH:!aNULL:!eNULL:@STRENGTH" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "auth" } # comment 'ttls' and uncomment following for staff #peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = yes # virtual_server = "auth" #} # #mschapv2 { # send_error = yes #} } eap EAP_staff { .... } ---- ---- authorize { ... if (Airespace-Wlan-Id == "student_ssid") { EAP_student } else { EAP_staff } ... } ---- Cheers -- Alexander Clouter .sigmonster says: Remember to say hello to your bank teller. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html